By using the RETIRE trick, it is possible to obtain Arceus via the Void glitch.

The steps below must be followed exactly. The RAM values being manipulated are loaded map data, and entering any map different than the ones you'd encounter by following the steps below may overwrite the data we need.

Each of the steps listed above loads a desired map property into memory, which we then travel to in order to encounter that property as our current map ID (in turn loading different map properties). Below are the target maps that get loaded—as well as the map property that determines the next map ID—in order to activate the RETIRE trick.

(2) Underground Sprite 1: X Coordinate: 392 (Route 221)

(392) Route 221 Warp 1: Map ID: 393 (Pal Park entrance)

(393) Route 221 R1-01 Warp 1: Map ID: 251 (Pal Park)

The maps and properties below lead to the Hall of Origin.

(45) Oreburgh City Sprite 13: X Coordinate: 316 (Lake Valor cavern)

(316) Lake Valor R1-03 Sprite 0: Flag: 510 (Hall of Origin)

Once Arceus is captured, the only thing left to do is to disable Pal Park mode and exit the void, which is done by using RETIRE in the Pal Park map. This is the only way to initiate the StopGreatMarsh 1 function.

Note: Encountering maps with IDs greater than 558 will overwrite almost all of the map data, so RAM values 0x022F - 0xFFFF should be avoided.

THE RETIRE TRICKUsing the RETIRE option in Pal Park works as expected—asking if you'd like to leave, then either warping you out or doing nothing. However, when used anywhere else, the RETIRE option will immediately run the 4th script loaded in a given map.

An important distinction to make is that this does not refer to the script at index 3 of the map data. Instead, it refers to the order that the scripts are run. For example, the Hall of Origin has only 3 scripts, but the order that the scripts are run is as follows:

Script 2

Script 3

Script 1

Script 3

Since the 3rd script is loaded twice, using the RETIRE option runs Script 3, which happens to be the encounter script for Arceus.

EDIT: After doing research into a few rare cases of the game crashing after Arceus is caught, I noticed that the cause of the freeze was caused by users hacking the Shaymin event into their game. Specifically, the data at [Base + 0x23998] is permanently changed from 0x76 to 0x7A after using the Oak's Letter key item and opening up Seabreak Path.

After saving at 430N and resetting, your position in RAM is set to [base] + 0x227D0. We're looking for a specific X coordinate's location in RAM, which is at [base] + 0x24A8C. There are multiple areas in RAM that hold your X coordinate, but this one in particular has a slight delay that allows us to battle Arceus in the Hall of Origin itself.

Do you think there might be a way to bypass the invisible walls by making different steps?

Absolutely! As long as we can encounter our X and/or Y coordinate data in the void, all that would need to be altered are the steps to get there. My exact method in the original post isn't the only way to obtain Arceus though.

Do you think there might be a way to bypass the invisible walls by making different steps?

I've actually been working on this for some time now, and I've come up with a completely safe method that will always work on any version of Pokemon Diamond and Pearl, regardless of save progress. In addition, it can be performed in under 15 minutes (8,046 steps) and allows you to encounter Arceus an unlimited amount of times.

Wow ! Amazing. Could... could there be a way to obtain ACE using such a method ? Maybe using an invalid map to overwrite a script pointer, then adding the RETIRE option, then using the option to run some payload code in RAM ?Not sure if that's even possible x)

Do you think there might be a way to bypass the invisible walls by making different steps?

I've actually been working on this for some time now, and I've come up with a completely safe method that will always work on any version of Pokemon Diamond and Pearl, regardless of save progress. In addition, it can be performed in under 15 minutes (8,046 steps) and allows you to encounter Arceus an unlimited amount of times.

I've updated the original post with the steps.

Amazing! I didn't expect it to be found this quickly. Congratulations!! This is groundbreaking.

Logged

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿Here have some free flowers on every post ✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿

Admin of the PRAMA Initiative, the main french Pokémon glitch websitehttps://www.prama-initiative.com“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Admin of the PRAMA Initiative, the main french Pokémon glitch websitehttps://www.prama-initiative.com“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Any chance of a more technical writeup? I still don't fully understand why this actually works, in fact, the explanations that have been given just make more questions.

The list of steps and the current explanation, to me, seem like bits are being flipped somewhere useful, and this is being abused to gain some kind of write primitive. Is this basically correct?

Sure thing!

It (unfortunately) doesn't provide any form of arbitrary write capabilities; rather, it forces known values to be loaded into RAM for chained exploitation.

BACKGROUND

Pokemon D/P uses dynamic addressing, so the base address and most associated memory offsets will be different across each localization of D/P. For consistency, I'll be using the addresses and offsets for the US version of D/P.

All maps in the game have 4 main event properties associated with them: Furniture (statues, plants, etc.), Objects (sprites), Warps (doors, cave entrances, etc.), and Triggers (automatic script-triggering tiles). Below is a table of the base address and memory offsets that will come into play later.

At offset 0x22ADA from the base address, we've got the layout of the map matrix. This is an 1800-byte section that defines which map ID you'll enter when you travel a certain distance in that map. In Sinnoh, this takes up much of the 1800-byte space, whereas indoor areas take up hardly any of it.

The reasoning behind the 1800-byte length comes from the maximum matrix height and width allowed—30x30. Let's use Sinnoh as an example, which has matrix dimensions 30x30. This means that the layout of map IDs contained within this area wrap around every 30 map IDs, or every 60 bytes. It may be hard to visualize by just looking at a stream of map IDs, so I've placed the 1800-byte map matrix layout over the Town Map so you can see just how it all fits together.

Visually, traveling downwards from Jubilife City into Route 202 is simply going from map ID 3 to map ID 343, which is true, but what's also happening is that your position in RAM is being offset by a number of map IDs equal to the value of the matrix width—30 in this case. This means that traveling downwards by 1 map ID is the same as traveling to the right 30 map IDs. Since each map ID takes up 2 bytes, it can be more accurately said that traveling downwards by 1 map ID (32 steps) actually seeks 60 bytes forward in RAM.

Following the map matrix layout is a 900-byte section that defines the border map height. Following that is another 1800-byte section that defines the actual map data indices (which contain movement permissions, 3D model data, terrain information, etc.), but we're only concerned with the data after all of the previous 4500 bytes.

MAP DATA

The previous 4500 bytes are all determined upon loading your saved game. As long as you don't initiate a warp (such as entering a doorway or triggering an automated warp like the Vista Lighthouse elevator), the aforementioned bytes will remain unchanged. The bytes concerned with map data, however, will predictably change depending on which map you're currently in.

Starting at offset 0x23C80 from the base address is the loaded data for the current map ID. When a new map is entered, such as when traveling downwards from Jubilife City to Route 202, the previous 4500-byte section will remain the same while the map data after it will change depending on what furniture, objects, warps, and triggers are present.

What's even more interesting is that old data will only ever be overwritten by new data. Even if a new area is loaded, if the previous map contained more map data than the new map, then the old map data will still remain there. For example, traveling downwards from Jubilife City to Route 202 will cause many of the sprites that Jubilife City loaded to remain in memory since Jubilife City loads many more sprites than Route 202.

This is the data that we'll be manipulating in order to successfully exploit this mechanism to load any location we want.

HOW IT WORKS

With all the necessary background information out of the way, it's time to explain what's really going on from start to finish.

Since the Poketch Co.'s map matrix is only 1x1, traveling down or right will seek 2 bytes forward in memory, while traveling left or up will seek 2 bytes backward in memory. That being said, the first 5 steps before the Save/Reset will seek 126 bytes backward in memory, then 32 bytes forward in memory.

This places us 94 bytes behind the beginning of the map matrix layout, which happens to be a map whose ID is greater than 558. Map IDs above that point default to the properties of Jubilife City, making them safe to save in, but they also overwrite nearly all of the current map data due to how many objects it loads.

After saving and resetting, however, our position in RAM is vastly different; instead of being 94 bytes behind the beginning map matrix layout, we're now 834 bytes into the map matrix layout. This is because of how the game recalculates your current offset in relation to your current X/Y coordinates.

Upon saving the game, the map matrix layout data associated with that map ID is written to your save file. After resetting at this point, our position in RAM was recalculated to conform to the new map matrix dimensions, which are now 30x30.

The 32 E and 32 W steps before and after the 384 S are to bypass an area that contains map IDs between 176 and 188, which will guarantee a crash when an action that redraws the entire screen (such as exiting a battle or returning from the Pokedex, bag, etc.) is performed.

The 1792 S is to get through the entirety of the map matrix layout, placing us in the actual map data. At step 1664 S, we actually encounter an Underground area (map ID 2), which loads all of its map data; Sprite 1 of the Underground is located at X coordinate 392, which is the map ID for Route 221.

If we can encounter that X coordinate data for Sprite 1 in RAM, then the map data for Route 221 will load, immediately changing every piece of data around us and opening up new avenues of map loading and map resource loading—effectively allowing a form of controlled teleporting in the void. The 160 W steps at the end of Step 2 put us at that very address, and the map data for Route 221 loads around us.

Route 221 happens to contain a warp whose destination is map ID 393, which is the Pal Park entrance. Repeating the previous methodology, that first 1 N step in Step 3 lands us at that address and loads the map data for the Pal Park entrance.

The Pal Park entrance understandably contains a warp to map ID 251, which is Pal Park itself. We use the same method to travel to the address containing that warp destination data, and that second 1 N step in Step 3 is what loads the map data for Pal Park and also puts us into Pal Park mode.

Step 4 is short, but the 66 S step does two important things. The 65 S step loads the map data for map ID 45, Oreburgh City. Sprite 13 in this data has an X coordinate of 316, which is the map ID for Lake Valor cavern. Funny enough, this destination is loaded in the exact spot that we traveled to for Oreburgh City (map ID 45) just immediately before. The last final step of those 66 S steps loads the map data for Lake Valor cavern. The 1 N step afterwards is to correct for the previous 1 S needed to get to Lake Valor cavern.

Sprite 0 in Lake Valor cavern has a flag value of 510, which is the map ID for the Hall of Origin.

Even now the Hall of Origin would be impossible to access, since every single movement would end up in that particular address being impossible to access. The only mechanism that saves this method is that entering a Mystery Zone area clears out the first few dozen bytes where the addresses and furniture, object, warp, and trigger counts are stored, since Mystery Zones all have a value of 0 for these.

That final 226 E in Step 5 traverses this now-cleared space in order to arrive at Sprite 0's flag value and, as a result, load the map data for the Hall of Origin.

Unfortunately, the Hall of Origin itself doesn't have any event properties with a value of 510, meaning that we only have 1 tile (the tile we're currently on) in which to encounter Arceus. This does mean that we have to battle and catch Arceus in the Mystery Zone, since Arceus's script moves us up 2 spaces, but that's a sacrifice made in the interest of catching Arceus for the first time ever in under 15 minutes.

After the battle is over, we repeat the same method for the first few steps—Route 221, then the Pal Park entrance, and finally Pal Park. Using the RETIRE option in Pal Park is literally the only way to get out of the void and Pal Park mode both at once.

OTHER STUFFI've attached dumps of all of the scripts and event properties for every map in the US version of D/P for convenience. (mostly for looking up usable map properties for map data loading purposes)

Also, it is possible to catch Arceus in the Hall of Origin, but it involves an 11k trek downwards and utilizes the (quite chaotic) loading of 3D models in order to spawn a map that contains a model with ID 510 (which itself is a broken pillar). Ironically, the only map in the game to contain this specific 3D model happens to be Spear Pillar. I chose this method because it's much shorter and much easier to predict what data is going to be loaded.

Thank you for these explanations Cryo, makes it very easier to understand.I am interested in the 11k path you mention to get Arceus in the HoO. Could you explain how to do that theorically? Thanks

Logged

Admin of the PRAMA Initiative, the main french Pokémon glitch websitehttps://www.prama-initiative.com“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Thank you for these explanations Cryo, makes it very easier to understand.I am interested in the 11k path you mention to get Arceus in the HoO. Could you explain how to do that theorically? Thanks

Sure!

Whenever you load Spear Pillar (map ID 220), the value at [Base + 0x2A576] becomes 510. This area is preceded by a ton of other data though, so it's extremely difficult to get to, if not impossible. It would require loading areas that replaced the data in front of it such that it was made safe.

A more efficient method, however, may be loading the Battle Tower's WiFi Battle Room (map ID 331), since that's located at [Base + 0x2974D], which is very near the start of that data section. It might be doable, but it's definitely a better shot than the Spear Pillar one.